Skip to Main Content

We have a new app!

Take the Access library with you wherever you go—easy access to books, videos, images, podcasts, personalized features, and more.

Download the Access App here: iOS and Android


In this chapter, you will learn to

  • Understand the phases of data incident management

  • Recognize the difference between incidents, events, and data breaches

  • Apply responsibilities of incident response team members

  • Comprehend required actions when third parties cause the incident

  • Examine external notification requirements for data breaches

Our story begins at the end of the week. It's Friday afternoon and Sally, the health records specialist, is just about finished for the day. Looking forward to a long weekend of rest and relaxation after a busy week, she was almost done adhering with the organization's Clean Desk Policy. Sally chuckles to herself as she remembers the reason she has to make sure her desk and work area are clean of paper, files, and electronic media each day before she leaves is her own doing. After earning her certification in health information privacy and security, Sally helped her organization develop and implement the Clean Desk Policy, along with several other policies, that improved the overall information security program. "Having clutter on a desk or workspace when no one is around is an invitation for after-hour workers or passersby to simply steal paper and electronic health information. Desks must be clutter-free as much as possible," she told the healthcare CIO.

Tonight was a big night. Sally was looking forward to getting out of the office. Then the phone rang. "Hello, this is Sally, health information management. Can I help you?" The voice on the other end of the line sounded worried.

"Yes, I hope so," he stammered. "My name is Jack, and I work in pediatrics."

"OK, Jack, what can I do for you?"

"Well, I was working with a healthcare provider downtown, and I sent her a roster with all of her patients that are seen here."

Sally provided reassurance. "That's OK. Did you encrypt the data?"

"No," Jack replied, "How do I do that?"

"We can cover that later," Sally told him. "We may still be OK. Tell me, did you send it to the doctor and only the one recipient?"

"That is the problem," Jack blurted out. "I meant to send it to Mary Ann Williams at Children's Hospital. But my e-mail autopopulated another Williams—Andrew Williams to be exact." Jack continued, "I hit Send before I noticed the mistake. Andrew Williams is a reporter from the local newspaper. That file had more than 500 patient names, record numbers, appointment dates, and reasons for visit." Jack deflated. "I have no idea how I have his e-mail address, but I do."

Sally sighed. She knew her weekend plans are now canceled. "Jack, we have some work to do," Sally said as she remained calm. "At this point, we have to initiate our organization's incident reporting process."

The story you have just ...

Pop-up div Successfully Displayed

This div only appears when the trigger link is hovered over. Otherwise it is hidden from view.